Jump to content

Recommended Posts

OK -- I've been sitting here waiting to post my issues for this, but I'm still waiting (three hours later) for GMER to finish. Before I stop it and create and save the ark.txt file regardless, should I either keep waiting this thing out or should I stop it and re-scan (I'll probably need to do it in safe mode, as explained below)? Please let em know ASAP and I'll do as you suggest. I have everything else ready to go, though, so here's my explanation of my problems and the other info you guys need, sans GMER results.

I'm here til this thing gets fixed, so I'd appreciate it if whoever assists me has the time to sit here and work it out with me until it's good (it's my work computer, so I really need to get the thing clean ASAP).

THANKS!!!!

-----------------

Hey there -- Here's my deal.

I work from home, left my HP desktop running XP Pro on over the weekend. When I left it Friday it was fine. When I resumed working Monday it started out fine then I was hit by all of the symptoms of the "Windows Recovery" virus. My last system acan from Symantec was last Monday, no issues were found, but I think I may have been duped into clicking a fake java or flash update since then, which dl'd the virus.

Anyway, I manually deleted the files and registry details for Windows Recovery as suggested elsewhere, and used unhide.exe to re-display everything.

Then I started experiencing the symptoms of XP Home Security. I looked for the files to manually remove for this one and couldn't find any. I created and ran the fix.reg file suggested elsewhere. That seemed to stop the pop-up alerts and has prevented the "viw.exe" process from auto-launching (this was tied to the "XP Home Security 2011" popups).

Still, in normal mode my system is slower than molasses, so slow it wouldn't even allow me to run MBAM (it would hang during initial enumeration). So I had to restart in safe mode w/ networking, updated MBAM, and ran quick scan in safe mode (details below).

I'm almost sure there are rootkits embedded in my system, and I need your help to cleanse this thing.

FYI -- since Monday I have used the following AV tools:

Monday AM -- MBAM (because my Symantec Pro wouldn't load; although, great work it did in preventing this stuff in the first place...); MBAM found a number of issues and I removed all files listed

Monday afternoon -- Symantec Pro (nothing found)

Monday evening / overnight -- PC Tools Spyware Doctor w/AV; Found a number of issues but I didn't know it wouldn't clean them without a registration fee; I have the scan results if you'd like to see them, though (10 infections & about 670 other issues)

I was on the road Tuesday away from the unit...

Tuesday overnight -- Avast full scan (nothing found)

Wed. morning -- MBAM (again)in prep for this posting

Still getting Internet Explorer script errors associated with the viruses, and like I said, this thing is now horribly slow. Not sure about random audio because I muted my speakers (the audio just creeps me out).

Remember, it's a heck of a lot faster for me to do things in safe mode, so if you know how I can cleann this bugger without having to enter normal mede, we'll be done a lot quicker.

Help me Obi Wan Kenobi.... You're my only hope!

*** MalwareBytes log file ***

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6504

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

5-4-2011 11:00:37 AM

mbam-log-2011-05-04 (11-00-37).txt

Scan type: Quick scan

Objects scanned: 189334

Time elapsed: 24 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 6

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\sharpej\Local Settings\Application Data\viw.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\sharpej\Local Settings\Application Data\viw.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\sharpej\Local Settings\Application Data\viw.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

*** DDS ***

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by sharpej at 11:23:58.04 on Wed 05-04-2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.191 [GMT -4:00]

.

AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\iolo\common\lib\ioloServiceManager.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\SatSrv.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Steganos Privacy Suite 2008\fredirstarter.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Documents and Settings\sharpej\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://rf1.ruderfinn.com

uDefault_Page_URL = hxxp://rf1.ruderfinn.com

uURLSearchHooks: H - No File

mWinlogon: Userinit=userinit.exe,

BHO: Steganos Password Manager AutoFill: {1427a821-7b93-4f08-9a34-9fa03a3d93db} - c:\program files\steganos privacy suite 2008\PasswordManagerBHO.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [Google Update] "c:\documents and settings\sharpej\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R

mRun: [sSS2008 File Redirection Starter] "c:\program files\steganos privacy suite 2008\fredirstarter.exe"

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"

mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [sSS2008 PasswordManagerFFAutoFill] "c:\program files\steganos privacy suite 2008\PasswordManagerFFAutoFill.exe"

mRun: [sSS2008 HotKeys] "c:\program files\steganos privacy suite 2008\SteganosHotKeyService.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"

dRunOnce: [sSS2006] "c:\program files\steganos security suite 2006\SSS2006.exe" -firstboot

StartupFolder: c:\docume~1\sharpej\startm~1\programs\startup\sprint~1.lnk - c:\windows\RM.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll

Trusted Zone: alltel.com\care

Trusted Zone: aol.com\free

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - hxxps://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab

DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab

DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://rfnywebview1.ruderfinn.com:30157/webview/msxml/msxml4.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: igfxcui - igfxsrvc.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 91.212.65.122 browser-security.microsoft.com

Hosts: 91.212.65.122 spyware-protector-2009.com

Hosts: 91.212.65.122 www.spyware-protector-2009.com

Hosts: 91.212.65.122 secure.spyware-protector-2009.com

Hosts: 91.212.65.122 knocker

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\sharpej\applic~1\mozilla\firefox\profiles\50jrvbn5.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\sharpej\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll

FF - plugin: c:\program files\nos\bin\np_gp.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}

FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com

.

============= SERVICES / DRIVERS ===============

.

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-5-2 239168]

R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-5-2 338880]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-3 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-5-3 307288]

R1 SLEE_13_DRIVER;Steganos Live Encryption Engine 13 [Driver];c:\windows\system32\drivers\slee13.sys [2005-10-4 74240]

R1 SLEE_16_DRIVER;Steganos Live Encryption Engine 16 [Driver];c:\windows\system32\drivers\sleen16.sys [2007-10-11 79104]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-5-3 19544]

R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-5-3 42184]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-5-1 181544]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]

R2 Steganos AntiTheft;Steganos AntiTheft;c:\windows\system32\SatSrv.exe [2006-5-24 184320]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\naveng.sys [2011-5-2 86136]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\navex15.sys [2011-5-2 1393144]

R3 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]

S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\vcdrom.sys --> c:\windows\system32\drivers\VCdRom.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]

S2 ioloProductUpdate;iolo Product Update Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

S2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2009-6-4 151552]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-5-2 38224]

S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2009-6-4 19584]

S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2007-3-25 7548]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-5-2 366840]

S3 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-5-2 1150936]

.

=============== Created Last 30 ================

.

2011-05-04 02:42:37 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-05-04 02:39:39 40112 ----a-w- c:\windows\avastSS.scr

2011-05-04 02:38:20 -------- d-----w- c:\program files\AVAST Software

2011-05-04 02:38:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVAST Software

2011-05-03 03:18:21 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys

2011-05-03 03:18:21 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys

2011-05-03 03:18:20 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2011-05-03 03:18:03 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2011-05-03 03:18:03 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2011-05-03 03:17:44 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2011-05-03 03:17:23 -------- d-----w- c:\program files\PC Tools Security

2011-05-03 03:17:23 -------- d-----w- c:\program files\common files\PC Tools

2011-05-03 03:17:23 -------- d-----w- c:\docume~1\sharpej\applic~1\PC Tools

2011-05-03 03:15:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2011-05-02 21:27:18 -------- d-----w- c:\program files\ESET

2011-05-02 17:09:53 -------- d-----w- c:\docume~1\sharpej\applic~1\Malwarebytes

2011-05-02 17:09:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-02 17:09:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-05-02 17:09:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-04-13 14:56:24 -------- d-----w- c:\docume~1\sharpej\locals~1\applic~1\Identities

.

==================== Find3M ====================

.

2009-11-24 02:28:05 6694516 -c----w- c:\program files\ps3-video-converter.exe

2009-11-22 15:56:36 15534341 -c----w- c:\program files\sss2006int.exe

2009-11-22 15:27:45 426352 -c----w- c:\program files\ds_dm.exe

2007-07-10 21:36:11 697492 -c----w- c:\program files\uTorrent-1.6.1-install.exe

2007-07-10 21:35:49 177152 -c----w- c:\program files\utorrent.exe

.

============= FINISH: 11:26:59.42 ===============

*** GMER ***

still waiting... *sigh*

Attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

I notice that you are using more than one antivirus program (Spyware Doctor and avast). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

Next, please update MBAM, run a Quick Scan, and post its log. Next, run DDS again and post DDS.txt in your reply.

Link to post
Share on other sites

Here you go -- MBAM & DDS. MBAM detected no malicious items...

*** MBAM #2 ***

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6504

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

5-4-2011 5:12:22 PM

mbam-log-2011-05-04 (17-12-22).txt

Scan type: Quick scan

Objects scanned: 191243

Time elapsed: 18 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

*** DDS ***

.

DDS (Ver_11-03-05.01) - NTFSx86 NETWORK

Run by sharpej at 17:14:47.23 on Wed 05-04-2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.176 [GMT -4:00]

.

AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Documents and Settings\sharpej\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://rf1.ruderfinn.com

uDefault_Page_URL = hxxp://rf1.ruderfinn.com

uURLSearchHooks: H - No File

mWinlogon: Userinit=userinit.exe,

BHO: Steganos Password Manager AutoFill: {1427a821-7b93-4f08-9a34-9fa03a3d93db} - c:\program files\steganos privacy suite 2008\PasswordManagerBHO.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [Google Update] "c:\documents and settings\sharpej\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R

mRun: [sSS2008 File Redirection Starter] "c:\program files\steganos privacy suite 2008\fredirstarter.exe"

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"

mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [sSS2008 PasswordManagerFFAutoFill] "c:\program files\steganos privacy suite 2008\PasswordManagerFFAutoFill.exe"

mRun: [sSS2008 HotKeys] "c:\program files\steganos privacy suite 2008\SteganosHotKeyService.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"

dRunOnce: [sSS2006] "c:\program files\steganos security suite 2006\SSS2006.exe" -firstboot

StartupFolder: c:\docume~1\sharpej\startm~1\programs\startup\sprint~1.lnk - c:\windows\RM.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll

Trusted Zone: alltel.com\care

Trusted Zone: aol.com\free

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - hxxps://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab

DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab

DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://rfnywebview1.ruderfinn.com:30157/webview/msxml/msxml4.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: igfxcui - igfxsrvc.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 91.212.65.122 browser-security.microsoft.com

Hosts: 91.212.65.122 spyware-protector-2009.com

Hosts: 91.212.65.122 www.spyware-protector-2009.com

Hosts: 91.212.65.122 secure.spyware-protector-2009.com

Hosts: 91.212.65.122 knocker

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\sharpej\applic~1\mozilla\firefox\profiles\50jrvbn5.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\sharpej\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll

FF - plugin: c:\program files\nos\bin\np_gp.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}

FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com

.

============= SERVICES / DRIVERS ===============

.

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-5-2 239168]

R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-5-2 338880]

S1 SLEE_13_DRIVER;Steganos Live Encryption Engine 13 [Driver];c:\windows\system32\drivers\slee13.sys [2005-10-4 74240]

S1 SLEE_16_DRIVER;Steganos Live Encryption Engine 16 [Driver];c:\windows\system32\drivers\sleen16.sys [2007-10-11 79104]

S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\vcdrom.sys --> c:\windows\system32\drivers\VCdRom.sys [?]

S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096]

S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808]

S2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-5-1 181544]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]

S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

S2 ioloProductUpdate;iolo Product Update Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

S2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2009-6-4 151552]

S2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]

S2 Steganos AntiTheft;Steganos AntiTheft;c:\windows\system32\SatSrv.exe [2006-5-24 184320]

S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]

S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\naveng.sys [2011-5-2 86136]

S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\navex15.sys [2011-5-2 1393144]

S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2009-6-4 19584]

S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2007-3-25 7548]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192]

S3 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-5-2 366840]

S3 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-5-2 1150936]

UnknownUnknown aswFsBlk;aswFsBlk; [x]

UnknownUnknown aswSnx;aswSnx; [x]

UnknownUnknown aswSP;aswSP; [x]

.

=============== Created Last 30 ================

.

2011-05-04 02:38:20 -------- d-----w- c:\program files\AVAST Software

2011-05-04 02:38:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVAST Software

2011-05-03 03:18:21 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys

2011-05-03 03:18:21 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys

2011-05-03 03:18:20 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2011-05-03 03:18:03 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2011-05-03 03:18:03 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2011-05-03 03:17:44 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2011-05-03 03:17:23 -------- d-----w- c:\program files\PC Tools Security

2011-05-03 03:17:23 -------- d-----w- c:\program files\common files\PC Tools

2011-05-03 03:17:23 -------- d-----w- c:\docume~1\sharpej\applic~1\PC Tools

2011-05-03 03:15:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2011-05-02 21:27:18 -------- d-----w- c:\program files\ESET

2011-05-02 17:09:53 -------- d-----w- c:\docume~1\sharpej\applic~1\Malwarebytes

2011-05-02 17:09:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-02 17:09:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-05-02 17:09:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-04-13 14:56:24 -------- d-----w- c:\docume~1\sharpej\locals~1\applic~1\Identities

.

==================== Find3M ====================

.

2009-11-24 02:28:05 6694516 -c----w- c:\program files\ps3-video-converter.exe

2009-11-22 15:56:36 15534341 -c----w- c:\program files\sss2006int.exe

2009-11-22 15:27:45 426352 -c----w- c:\program files\ds_dm.exe

2007-07-10 21:36:11 697492 -c----w- c:\program files\uTorrent-1.6.1-install.exe

2007-07-10 21:35:49 177152 -c----w- c:\program files\utorrent.exe

.

============= FINISH: 17:16:00.53 ===============

Link to post
Share on other sites

Realized I hadn't updated MBAM before I posted its report after you requested it, so here it is after the update (def. 6508)

Thanks for your help!!!

***MBAM***

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6508

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

5-4-2011 7:20:02 PM

mbam-log-2011-05-04 (19-20-02).txt

Scan type: Quick scan

Objects scanned: 193519

Time elapsed: 16 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

***DDS***

.

DDS (Ver_11-03-05.01) - NTFSx86 NETWORK

Run by sharpej at 20:00:09.70 on Wed 05-04-2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.233 [GMT -4:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\taskmgr.exe

C:\Documents and Settings\sharpej\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://rf1.ruderfinn.com

uDefault_Page_URL = hxxp://rf1.ruderfinn.com

uURLSearchHooks: H - No File

mWinlogon: Userinit=userinit.exe,

BHO: Steganos Password Manager AutoFill: {1427a821-7b93-4f08-9a34-9fa03a3d93db} - c:\program files\steganos privacy suite 2008\PasswordManagerBHO.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [Google Update] "c:\documents and settings\sharpej\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R

mRun: [sSS2008 File Redirection Starter] "c:\program files\steganos privacy suite 2008\fredirstarter.exe"

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"

mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [sSS2008 PasswordManagerFFAutoFill] "c:\program files\steganos privacy suite 2008\PasswordManagerFFAutoFill.exe"

mRun: [sSS2008 HotKeys] "c:\program files\steganos privacy suite 2008\SteganosHotKeyService.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"

dRunOnce: [sSS2006] "c:\program files\steganos security suite 2006\SSS2006.exe" -firstboot

StartupFolder: c:\docume~1\sharpej\startm~1\programs\startup\sprint~1.lnk - c:\windows\RM.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

Trusted Zone: alltel.com\care

Trusted Zone: aol.com\free

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - hxxps://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab

DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab

DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://rfnywebview1.ruderfinn.com:30157/webview/msxml/msxml4.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: igfxcui - igfxsrvc.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 91.212.65.122 browser-security.microsoft.com

Hosts: 91.212.65.122 spyware-protector-2009.com

Hosts: 91.212.65.122 www.spyware-protector-2009.com

Hosts: 91.212.65.122 secure.spyware-protector-2009.com

Hosts: 91.212.65.122 knocker

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\sharpej\applic~1\mozilla\firefox\profiles\50jrvbn5.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\sharpej\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll

FF - plugin: c:\program files\nos\bin\np_gp.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}

FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com

.

============= SERVICES / DRIVERS ===============

.

S1 SLEE_13_DRIVER;Steganos Live Encryption Engine 13 [Driver];c:\windows\system32\drivers\slee13.sys [2005-10-4 74240]

S1 SLEE_16_DRIVER;Steganos Live Encryption Engine 16 [Driver];c:\windows\system32\drivers\sleen16.sys [2007-10-11 79104]

S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\vcdrom.sys --> c:\windows\system32\drivers\VCdRom.sys [?]

S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096]

S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808]

S2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-5-1 181544]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]

S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

S2 ioloProductUpdate;iolo Product Update Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

S2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2009-6-4 151552]

S2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]

S2 Steganos AntiTheft;Steganos AntiTheft;c:\windows\system32\SatSrv.exe [2006-5-24 184320]

S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]

S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\naveng.sys [2011-5-2 86136]

S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\navex15.sys [2011-5-2 1393144]

S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2009-6-4 19584]

S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2007-3-25 7548]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192]

S3 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]

.

=============== Created Last 30 ================

.

2011-05-04 02:38:20 -------- d-----w- c:\program files\AVAST Software

2011-05-04 02:38:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVAST Software

2011-05-03 03:17:23 -------- d-----w- c:\program files\PC Tools Security

2011-05-03 03:15:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2011-05-02 21:27:18 -------- d-----w- c:\program files\ESET

2011-05-02 17:09:53 -------- d-----w- c:\docume~1\sharpej\applic~1\Malwarebytes

2011-05-02 17:09:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-02 17:09:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-05-02 17:09:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-04-13 14:56:24 -------- d-----w- c:\docume~1\sharpej\locals~1\applic~1\Identities

.

==================== Find3M ====================

.

2009-11-24 02:28:05 6694516 -c----w- c:\program files\ps3-video-converter.exe

2009-11-22 15:56:36 15534341 -c----w- c:\program files\sss2006int.exe

2009-11-22 15:27:45 426352 -c----w- c:\program files\ds_dm.exe

2007-07-10 21:36:11 697492 -c----w- c:\program files\uTorrent-1.6.1-install.exe

2007-07-10 21:35:49 177152 -c----w- c:\program files\utorrent.exe

.

============= FINISH: 20:01:21.50 ===============

Link to post
Share on other sites

ComboFix won't run. Blue box opens, cursor flashes, then hangs. Doesn't even "Prepare to run". I watched it sit there not doing anything for 20 mins. No scan, no nothing. My system is running super slow in normal mode (as mentioned inmy initial post), so should I run it in Safe Mode? If so, with or without networking?

Thanks-

J

Link to post
Share on other sites

Okie doke -- Ran ComboFix in Safe Mode w/ Networking; everything went off fine, see results below. Then I restarted the computer in normal mode to see how it runs and perform the DDS scan. Initial startup was still much slower than normal, and the random "Internet Explorer Script Error" messages continue to pop up. Random creepy audio still happens, as well. System ground for about 10 mins. after startup before I was comfortable starting the DDS scan. After startup was complete, system seemed to process at a much more normal pace, Chrome opened / closed quickly, and saving the .txt files from DDS took no time at all.

See results below. Looking forward to the next steps!

Thanks Chris!

*** COMBOFIX ***

ComboFix 11-05-06.03 - sharpej 05-07-2011 0:46.3.1 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.322 [GMT -4:00]

Running from: c:\documents and settings\sharpej\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\All Users\Application Data\Tarma Installer

c:\documents and settings\All Users\Application Data\Tarma Installer\{8912A802-1DD4-41F3-8450-B3209081BDB9}\_Setup.dll

c:\documents and settings\All Users\Application Data\Tarma Installer\{8912A802-1DD4-41F3-8450-B3209081BDB9}\_Setupx.dll

c:\documents and settings\All Users\Application Data\Tarma Installer\{8912A802-1DD4-41F3-8450-B3209081BDB9}\Setup.dat

c:\documents and settings\All Users\Application Data\Tarma Installer\{8912A802-1DD4-41F3-8450-B3209081BDB9}\Setup.exe

c:\documents and settings\All Users\Application Data\Tarma Installer\{8912A802-1DD4-41F3-8450-B3209081BDB9}\Setup.ico

c:\documents and settings\sharpej\WINDOWS

K:\autorun.inf

.

----- BITS: Possible infected sites -----

.

hxxp://ptaex1:8530

.

((((((((((((((((((((((((( Files Created from 2011-04-07 to 2011-05-07 )))))))))))))))))))))))))))))))

.

.

2011-05-04 02:38 . 2011-05-04 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2011-05-04 02:38 . 2011-05-04 02:38 -------- d-----w- c:\program files\AVAST Software

2011-05-03 03:17 . 2011-05-04 22:19 -------- d-----w- c:\program files\PC Tools Security

2011-05-03 03:17 . 2011-05-04 21:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2011-05-03 03:15 . 2011-05-04 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2011-05-02 21:27 . 2011-05-02 21:27 -------- d-----w- c:\program files\ESET

2011-05-02 17:09 . 2011-05-02 17:09 -------- d-----w- c:\documents and settings\sharpej\Application Data\Malwarebytes

2011-05-02 17:09 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-02 17:09 . 2011-05-02 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-05-02 17:09 . 2011-05-02 17:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-05-02 16:01 . 2011-05-02 16:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Steganos

2011-05-02 14:27 . 2011-05-02 14:27 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2011-04-13 14:56 . 2011-04-13 14:56 -------- d-----w- c:\documents and settings\sharpej\Local Settings\Application Data\Identities

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-24 02:28 . 2009-11-24 02:28 6694516 -c----w- c:\program files\ps3-video-converter.exe

2009-11-22 15:56 . 2009-11-22 15:55 15534341 -c----w- c:\program files\sss2006int.exe

2009-11-22 15:27 . 2009-11-22 15:27 426352 -c----w- c:\program files\ds_dm.exe

2007-07-10 21:36 . 2007-07-10 21:36 697492 -c----w- c:\program files\uTorrent-1.6.1-install.exe

2007-07-10 21:35 . 2007-07-10 21:35 177152 -c----w- c:\program files\utorrent.exe

2009-01-27 01:34 . 2009-01-27 01:34 1044480 -c----w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-01-27 01:34 . 2009-01-27 01:34 200704 -c----w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SSS2008 File Redirection Starter"="c:\program files\Steganos Privacy Suite 2008\fredirstarter.exe" [2008-03-05 57344]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-01-14 49152]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-15 180269]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-05-01 185640]

"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-04-01 95960]

"SSS2008 PasswordManagerFFAutoFill"="c:\program files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe" [2008-03-11 21504]

"SSS2008 HotKeys"="c:\program files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe" [2008-03-11 25088]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

"SSS2006"="c:\program files\Steganos Security Suite 2006\SSS2006.exe" [2006-05-24 5279744]

.

c:\documents and settings\sharpej\Start Menu\Programs\Startup\

Sprint media monitor.lnk - c:\windows\RM.exe [2008-10-29 222552]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-27 110592]

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-27 110592]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [N/A]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-126801549-2095378277-3947723013-6204\Scripts\Logon\0\0]

"Script"=PTAPrinterScript.VBS

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-126801549-2095378277-3947723013-6204\Scripts\Logon\1\0]

"Script"=PTAMapDrives.VBS

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\utorrent.exe"=

"c:\\Program Files\\utorrent.exe"=

"c:\\Program Files\\Paltalk Messenger\\paltalk.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

.

S1 SLEE_13_DRIVER;Steganos Live Encryption Engine 13 [Driver];c:\windows\system32\drivers\slee13.sys [10-4-2005 11:42 AM 74240]

S1 SLEE_16_DRIVER;Steganos Live Encryption Engine 16 [Driver];c:\windows\system32\drivers\sleen16.sys [10-11-2007 7:24 AM 79104]

S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\VCdRom.sys --> c:\windows\system32\drivers\VCdRom.sys [?]

S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [5-1-2009 3:35 PM 181544]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1-7-2010 11:28 AM 135664]

S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [7-19-2008 3:58 AM 712048]

S2 ioloProductUpdate;iolo Product Update Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [7-19-2008 3:58 AM 712048]

S2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [7-19-2008 3:58 AM 712048]

S2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [6-4-2009 2:30 PM 151552]

S2 Steganos AntiTheft;Steganos AntiTheft;c:\windows\system32\SatSrv.exe [5-24-2006 6:23 AM 184320]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1-7-2010 11:28 AM 135664]

S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [6-4-2009 2:30 PM 19584]

S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [3-25-2007 2:15 PM 7548]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3-12-2004 3:18 PM 169192]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-07 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-11 23:41]

.

2011-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 15:28]

.

2011-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 15:28]

.

2011-05-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-126801549-2095378277-3947723013-6204Core.job

- c:\documents and settings\sharpej\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-30 05:39]

.

2011-05-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-126801549-2095378277-3947723013-6204UA.job

- c:\documents and settings\sharpej\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-30 05:39]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://rf1.ruderfinn.com

Trusted Zone: alltel.com\care

Trusted Zone: aol.com\free

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\sharpej\Application Data\Mozilla\Firefox\Profiles\50jrvbn5.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}

FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

AddRemove-{8912A802-1DD4-41F3-8450-B3209081BDB9} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{8912A~1\Setup.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-07 01:02

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2011-05-07 01:09:19

ComboFix-quarantined-files.txt 2011-05-07 05:08

ComboFix2.txt 2009-04-02 03:20

.

Pre-Run: 123,439,489,024 bytes free

Post-Run: 128,113,041,408 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

.

- - End Of File - - E0D56E3FECFF5DF9DECA2860ADA48527

*** DDS ***

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by sharpej at 1:24:56.25 on Sat 05-07-2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.181 [GMT -4:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\iolo\common\lib\ioloServiceManager.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\SatSrv.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Steganos Privacy Suite 2008\fredirstarter.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe

C:\Program Files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Sprint Instinct Applications\MEMonitor.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Documents and Settings\sharpej\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://rf1.ruderfinn.com

uURLSearchHooks: H - No File

BHO: Steganos Password Manager AutoFill: {1427a821-7b93-4f08-9a34-9fa03a3d93db} - c:\program files\steganos privacy suite 2008\PasswordManagerBHO.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R

mRun: [sSS2008 File Redirection Starter] "c:\program files\steganos privacy suite 2008\fredirstarter.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"

mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe

mRun: [sSS2008 PasswordManagerFFAutoFill] "c:\program files\steganos privacy suite 2008\PasswordManagerFFAutoFill.exe"

mRun: [sSS2008 HotKeys] "c:\program files\steganos privacy suite 2008\SteganosHotKeyService.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"

dRunOnce: [sSS2006] "c:\program files\steganos security suite 2006\SSS2006.exe" -firstboot

StartupFolder: c:\docume~1\sharpej\startm~1\programs\startup\sprint~1.lnk - c:\windows\RM.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

Trusted Zone: alltel.com\care

Trusted Zone: aol.com\free

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - hxxps://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab

DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab

DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://rfnywebview1.ruderfinn.com:30157/webview/msxml/msxml4.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: igfxcui - igfxsrvc.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\sharpej\applic~1\mozilla\firefox\profiles\50jrvbn5.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}

FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com

.

============= SERVICES / DRIVERS ===============

.

R1 SLEE_13_DRIVER;Steganos Live Encryption Engine 13 [Driver];c:\windows\system32\drivers\slee13.sys [2005-10-4 74240]

R1 SLEE_16_DRIVER;Steganos Live Encryption Engine 16 [Driver];c:\windows\system32\drivers\sleen16.sys [2007-10-11 79104]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-5-1 181544]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2009-6-4 151552]

R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]

R2 Steganos AntiTheft;Steganos AntiTheft;c:\windows\system32\SatSrv.exe [2006-5-24 184320]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\naveng.sys [2011-5-2 86136]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\navex15.sys [2011-5-2 1393144]

R3 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]

S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\vcdrom.sys --> c:\windows\system32\drivers\VCdRom.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]

S2 ioloProductUpdate;iolo Product Update Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]

S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2009-6-4 19584]

S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2007-3-25 7548]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192]

.

=============== Created Last 30 ================

.

2011-05-07 04:42:14 -------- d-sha-r- C:\cmdcons

2011-05-07 04:37:10 98816 ----a-w- c:\windows\sed.exe

2011-05-07 04:37:10 89088 ----a-w- c:\windows\MBR.exe

2011-05-07 04:37:10 256512 ----a-w- c:\windows\PEV.exe

2011-05-07 04:37:10 161792 ----a-w- c:\windows\SWREG.exe

2011-05-04 02:38:20 -------- d-----w- c:\program files\AVAST Software

2011-05-04 02:38:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVAST Software

2011-05-03 03:17:23 -------- d-----w- c:\program files\PC Tools Security

2011-05-03 03:15:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2011-05-02 21:27:18 -------- d-----w- c:\program files\ESET

2011-05-02 17:09:53 -------- d-----w- c:\docume~1\sharpej\applic~1\Malwarebytes

2011-05-02 17:09:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-02 17:09:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-05-02 17:09:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-04-13 14:56:24 -------- d-----w- c:\docume~1\sharpej\locals~1\applic~1\Identities

.

==================== Find3M ====================

.

2009-11-24 02:28:05 6694516 -c----w- c:\program files\ps3-video-converter.exe

2009-11-22 15:56:36 15534341 -c----w- c:\program files\sss2006int.exe

2009-11-22 15:27:45 426352 -c----w- c:\program files\ds_dm.exe

2007-07-10 21:36:11 697492 -c----w- c:\program files\uTorrent-1.6.1-install.exe

2007-07-10 21:35:49 177152 -c----w- c:\program files\utorrent.exe

.

============= FINISH: 1:27:13.01 ===============

Link to post
Share on other sites

  • Staff

Hi,

Delete these files:

c:\program files\uTorrent-1.6.1-install.exe

c:\program files\utorrent.exe

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

OK -- Ran both. Had to run ESET in Safe Mode because Normal Mode was taking forever.

Now that both scans are complete, I'm still experiencing very slow start-up, slower than normal operation once booted up, mystery audio, and auto-redirects from Google searches. Also noticed that under my "Start" menu, when I look at my "All Programs" list many of the program folders state that they're "(Empty)". Haven't received any "Internet Explorer Script Error" messages yet, but I'll let you know if I do.

Here are the logs, and looking forward to next steps.

Thanks Chris-

Jared

----------------------------

*** ESET ***

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=57b8a1ee4a65034a8cf13c33f14031eb

# end=stopped

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-05-02 09:34:57

# local_time=2011-05-02 05:34:57 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=3380

# found=0

# cleaned=0

# scan_time=248

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=57b8a1ee4a65034a8cf13c33f14031eb

# end=stopped

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-05-09 01:14:35

# local_time=2011-05-09 09:14:35 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=8192 67108863 100 0 485851 485851 0 0

# scanned=8563

# found=0

# cleaned=0

# scan_time=2987

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=57b8a1ee4a65034a8cf13c33f14031eb

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-05-09 03:29:10

# local_time=2011-05-09 11:29:10 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=8192 67108863 100 0 489308 489308 0 0

# scanned=119728

# found=2

# cleaned=2

# scan_time=7606

H:\I386\Apps\APP12302\src\SpyInstall_HPPre.exe probably a variant of Win32/Agent.HVEUCPZ trojan (deleted - quarantined) 00000000000000000000000000000000 C

H:\System Volume Information\_restore{E23F125D-7307-4B2A-BF76-7586BCAC24BE}\RP2\A0000098.exe probably a variant of Win32/Agent.HVEUCPZ trojan (deleted - quarantined) 00000000000000000000000000000000 C

*** Security Check ***

Results of screen317's Security Check version 0.99.10

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!

Windows Firewall Disabled!

ESET Online Scanner v3

Symantec AntiVirus

iolo technologies' DriveScrubber 3

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 18

Out of date Java installed!

Adobe Flash Player 10.2.152.32

Adobe Reader X

Mozilla Firefox (3.6.17) Firefox Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

``````````End of Log````````````

Link to post
Share on other sites

By the way, my Symantec ran its scheduled weekly scan this evening (in normal mode) and found no threats in 227,780 files scanned (C & H drives). Scan took 156:11, more than twice the usual time (usually about 65-75 mins.).

Just thought you might like to know!

Thanks-

J

Link to post
Share on other sites

Here are the ComboFix & DDS reports. Had to run ComboFix in Safe Mode again, so I ran DDS in it to just to save time and aggravation.

Still getting IE Script Error messages even in Safe Mode as I post this. I'll restart after I post and let you know of any other issues that still remain.

Thanks-

J

*** ComboFix ***

ComboFix 11-05-11.04 - sharpej 05-12-2011 17:39:31.4.1 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.275 [GMT -4:00]

Running from: c:\documents and settings\sharpej\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

K:\autorun.inf

.

.

((((((((((((((((((((((((( Files Created from 2011-04-12 to 2011-05-12 )))))))))))))))))))))))))))))))

.

.

2011-05-04 02:38 . 2011-05-04 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2011-05-04 02:38 . 2011-05-04 02:38 -------- d-----w- c:\program files\AVAST Software

2011-05-03 03:17 . 2011-05-04 22:19 -------- d-----w- c:\program files\PC Tools Security

2011-05-03 03:17 . 2011-05-04 21:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2011-05-03 03:15 . 2011-05-04 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2011-05-02 21:27 . 2011-05-02 21:27 -------- d-----w- c:\program files\ESET

2011-05-02 17:09 . 2011-05-02 17:09 -------- d-----w- c:\documents and settings\sharpej\Application Data\Malwarebytes

2011-05-02 17:09 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-02 17:09 . 2011-05-02 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-05-02 17:09 . 2011-05-02 17:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-05-02 16:01 . 2011-05-02 16:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Steganos

2011-05-02 14:27 . 2011-05-02 14:27 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2011-04-13 14:56 . 2011-04-13 14:56 -------- d-----w- c:\documents and settings\sharpej\Local Settings\Application Data\Identities

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-24 02:28 . 2009-11-24 02:28 6694516 -c----w- c:\program files\ps3-video-converter.exe

2009-11-22 15:56 . 2009-11-22 15:55 15534341 -c----w- c:\program files\sss2006int.exe

2009-11-22 15:27 . 2009-11-22 15:27 426352 -c----w- c:\program files\ds_dm.exe

2009-01-27 01:34 . 2009-01-27 01:34 1044480 -c----w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-01-27 01:34 . 2009-01-27 01:34 200704 -c----w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SSS2008 File Redirection Starter"="c:\program files\Steganos Privacy Suite 2008\fredirstarter.exe" [2008-03-05 57344]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-01-14 49152]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-15 180269]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-05-01 185640]

"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-04-01 95960]

"SSS2008 PasswordManagerFFAutoFill"="c:\program files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe" [2008-03-11 21504]

"SSS2008 HotKeys"="c:\program files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe" [2008-03-11 25088]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

"SSS2006"="c:\program files\Steganos Security Suite 2006\SSS2006.exe" [2006-05-24 5279744]

.

c:\documents and settings\sharpej\Start Menu\Programs\Startup\

Sprint media monitor.lnk - c:\windows\RM.exe [2008-10-29 222552]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-27 110592]

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-27 110592]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [N/A]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-126801549-2095378277-3947723013-6204\Scripts\Logon\0\0]

"Script"=PTAPrinterScript.VBS

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-126801549-2095378277-3947723013-6204\Scripts\Logon\1\0]

"Script"=PTAMapDrives.VBS

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\utorrent.exe"=

"c:\\Program Files\\Paltalk Messenger\\paltalk.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

.

S1 SLEE_13_DRIVER;Steganos Live Encryption Engine 13 [Driver];c:\windows\system32\drivers\slee13.sys [10-4-2005 11:42 AM 74240]

S1 SLEE_16_DRIVER;Steganos Live Encryption Engine 16 [Driver];c:\windows\system32\drivers\sleen16.sys [10-11-2007 7:24 AM 79104]

S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\VCdRom.sys --> c:\windows\system32\drivers\VCdRom.sys [?]

S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [5-1-2009 3:35 PM 181544]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1-7-2010 11:28 AM 135664]

S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [7-19-2008 3:58 AM 712048]

S2 ioloProductUpdate;iolo Product Update Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [7-19-2008 3:58 AM 712048]

S2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [7-19-2008 3:58 AM 712048]

S2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [6-4-2009 2:30 PM 151552]

S2 Steganos AntiTheft;Steganos AntiTheft;c:\windows\system32\SatSrv.exe [5-24-2006 6:23 AM 184320]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1-7-2010 11:28 AM 135664]

S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [6-4-2009 2:30 PM 19584]

S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [3-25-2007 2:15 PM 7548]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3-12-2004 3:18 PM 169192]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-12 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-11 23:41]

.

2011-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 15:28]

.

2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 15:28]

.

2011-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-126801549-2095378277-3947723013-6204Core.job

- c:\documents and settings\sharpej\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-30 05:39]

.

2011-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-126801549-2095378277-3947723013-6204UA.job

- c:\documents and settings\sharpej\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-30 05:39]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://rf1.ruderfinn.com

Trusted Zone: alltel.com\care

Trusted Zone: aol.com\free

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\sharpej\Application Data\Mozilla\Firefox\Profiles\50jrvbn5.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}

FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-12 17:52

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2011-05-12 17:59:12

ComboFix-quarantined-files.txt 2011-05-12 21:58

ComboFix2.txt 2011-05-07 05:09

ComboFix3.txt 2009-04-02 03:20

.

Pre-Run: 127,902,838,784 bytes free

Post-Run: 127,893,188,608 bytes free

.

- - End Of File - - 23FBF361EE94C0760CF123E969DC245B

*** DDS ***

.

DDS (Ver_11-03-05.01) - NTFSx86 NETWORK

Run by sharpej at 18:00:44.42 on Thu 05-12-2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.258 [GMT -4:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\sharpej\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://rf1.ruderfinn.com

uURLSearchHooks: H - No File

BHO: Steganos Password Manager AutoFill: {1427a821-7b93-4f08-9a34-9fa03a3d93db} - c:\program files\steganos privacy suite 2008\PasswordManagerBHO.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R

mRun: [sSS2008 File Redirection Starter] "c:\program files\steganos privacy suite 2008\fredirstarter.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"

mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe

mRun: [sSS2008 PasswordManagerFFAutoFill] "c:\program files\steganos privacy suite 2008\PasswordManagerFFAutoFill.exe"

mRun: [sSS2008 HotKeys] "c:\program files\steganos privacy suite 2008\SteganosHotKeyService.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"

dRunOnce: [sSS2006] "c:\program files\steganos security suite 2006\SSS2006.exe" -firstboot

StartupFolder: c:\docume~1\sharpej\startm~1\programs\startup\sprint~1.lnk - c:\windows\RM.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

Trusted Zone: alltel.com\care

Trusted Zone: aol.com\free

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - hxxps://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab

DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab

DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://rfnywebview1.ruderfinn.com:30157/webview/msxml/msxml4.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: igfxcui - igfxsrvc.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\sharpej\applic~1\mozilla\firefox\profiles\50jrvbn5.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}

FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com

.

============= SERVICES / DRIVERS ===============

.

S1 SLEE_13_DRIVER;Steganos Live Encryption Engine 13 [Driver];c:\windows\system32\drivers\slee13.sys [2005-10-4 74240]

S1 SLEE_16_DRIVER;Steganos Live Encryption Engine 16 [Driver];c:\windows\system32\drivers\sleen16.sys [2007-10-11 79104]

S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\vcdrom.sys --> c:\windows\system32\drivers\VCdRom.sys [?]

S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096]

S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808]

S2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-5-1 181544]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]

S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

S2 ioloProductUpdate;iolo Product Update Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

S2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2009-6-4 151552]

S2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]

S2 Steganos AntiTheft;Steganos AntiTheft;c:\windows\system32\SatSrv.exe [2006-5-24 184320]

S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]

S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\naveng.sys [2011-5-2 86136]

S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\navex15.sys [2011-5-2 1393144]

S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2009-6-4 19584]

S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2007-3-25 7548]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192]

S3 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]

.

=============== Created Last 30 ================

.

2011-05-07 04:42:14 -------- d-sha-r- C:\cmdcons

2011-05-07 04:37:10 98816 ----a-w- c:\windows\sed.exe

2011-05-07 04:37:10 89088 ----a-w- c:\windows\MBR.exe

2011-05-07 04:37:10 256512 ----a-w- c:\windows\PEV.exe

2011-05-07 04:37:10 161792 ----a-w- c:\windows\SWREG.exe

2011-05-04 02:38:20 -------- d-----w- c:\program files\AVAST Software

2011-05-04 02:38:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVAST Software

2011-05-03 03:17:23 -------- d-----w- c:\program files\PC Tools Security

2011-05-03 03:15:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2011-05-02 21:27:18 -------- d-----w- c:\program files\ESET

2011-05-02 17:09:53 -------- d-----w- c:\docume~1\sharpej\applic~1\Malwarebytes

2011-05-02 17:09:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-02 17:09:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-05-02 17:09:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-04-13 14:56:24 -------- d-----w- c:\docume~1\sharpej\locals~1\applic~1\Identities

.

==================== Find3M ====================

.

2009-11-24 02:28:05 6694516 -c----w- c:\program files\ps3-video-converter.exe

2009-11-22 15:56:36 15534341 -c----w- c:\program files\sss2006int.exe

2009-11-22 15:27:45 426352 -c----w- c:\program files\ds_dm.exe

.

============= FINISH: 18:01:09.71 ===============

Link to post
Share on other sites

Startup in normal mode didn't seem too bad. A little slow, but nothing absurd. Can't stick around to see if the weird noises happen or more IE Script Error messages pop up, but I'll let you know later. meantime, if you see anything in the reports and need me to take action, please let me know.

Thanks!

-J

Link to post
Share on other sites

  • Staff

Hi,

Things are looking okay.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

OK -- Here are the logs. Prior to running ESET I still had all of the original symptoms. After running both scans I still have a Google redirect as of this post (I just checked), and I just got the weird audio again. Figure it's just a matter of time til I get more IE Script Error messages, too.

Also you'll notice that the ESET scan (which I ran in Normal mode this time) took over 4 hours 15 mins., more than double what it took to run in Safe Mode the first time you had me run it. Ironically, it didn't find anything this time, either.

It's been two weeks now, and I don't think we've gotten anywhere with this thing -- I'm still showing the same symptoms as when I first posted. Oh, and there's another IE Script Error message....

Argh -- I'm just lucky I've been able to trick out my little ASUS eee netbook so I can work off of that these last couple of weeks, because I can't use this desktop machine until it's clean (I connect to my office network thru VPN, and I don't want to risk infecting the network).

Please let me know what to do next -- this damn thing is killing me...

Thanks Chris-

Jared

*** ESET ***

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=57b8a1ee4a65034a8cf13c33f14031eb

# end=stopped

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-05-02 09:34:57

# local_time=2011-05-02 05:34:57 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=3380

# found=0

# cleaned=0

# scan_time=248

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=57b8a1ee4a65034a8cf13c33f14031eb

# end=stopped

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-05-09 01:14:35

# local_time=2011-05-09 09:14:35 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=8192 67108863 100 0 485851 485851 0 0

# scanned=8563

# found=0

# cleaned=0

# scan_time=2987

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=57b8a1ee4a65034a8cf13c33f14031eb

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-05-09 03:29:10

# local_time=2011-05-09 11:29:10 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=8192 67108863 100 0 489308 489308 0 0

# scanned=119728

# found=2

# cleaned=2

# scan_time=7606

H:\I386\Apps\APP12302\src\SpyInstall_HPPre.exe probably a variant of Win32/Agent.HVEUCPZ trojan (deleted - quarantined) 00000000000000000000000000000000 C

H:\System Volume Information\_restore{E23F125D-7307-4B2A-BF76-7586BCAC24BE}\RP2\A0000098.exe probably a variant of Win32/Agent.HVEUCPZ trojan (deleted - quarantined) 00000000000000000000000000000000 C

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=57b8a1ee4a65034a8cf13c33f14031eb

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-05-15 05:37:11

# local_time=2011-05-15 01:37:11 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=8192 67108863 100 0 1007687 1007687 0 0

# scanned=120227

# found=0

# cleaned=0

# scan_time=15329

*** Screen317 Security Check ***

Results of screen317's Security Check version 0.99.11

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!

Windows Firewall Disabled!

ESET Online Scanner v3

Symantec AntiVirus

iolo technologies' DriveScrubber 3

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 18

Out of date Java installed!

Adobe Flash Player 10.2.152.32

Adobe Reader X

Mozilla Firefox (3.6.17) Firefox Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Symantec AntiVirus DefWatch.exe

Symantec AntiVirus Rtvscan.exe

iolo common lib ioloServiceManager.exe

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

Update MBAM, run a Quick Scan, and post its log.

Grab a fresh copy of ComboFix, run it, and post its log. Next, run DDS again and post its log.

Please download GMER from one of the following locations and save it to your Desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

  • Double click GMER.exe.
    gmer_zip.gif
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      GMER_thumb.jpg
      Click the image to enlarge it

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt"

    [*]Save the log where you can easily find it, such as your desktop.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any <--- ROOTKIT entries

Please copy and paste the report into your Post.

Link to post
Share on other sites

OK, here's everything but the GMER log. FYI, I ran MBAM in Normal mode, ComboFix & DDS in Safe Mode w/ Networking. ComboFix still will not run in Normal Mode. When GMER was completed I couldn't find the "save" button for the results (the window only listed a handful of cookies discovered in the scan), and then I accidentally closed it before I found anything. I then ran it again so I could get you a log, but the scan was sill running when I had to get to bed last night. When I woke up, the computer had restarted at some point overnight and gave me a "Windows has recovered from a serious error" message. Do you want me to run GMER again, and if so, where is the "save" button for the log? Keep in mind that I ran MBAM in Safe Mode, so the screen display size may have caused the "save" button to "fall off" the window or the page...

Anyway, after running those scans I still have a browser redirect, and like usual I figure it's just a matter of time til I get an IE Script Error message and hear phantom audio again.

Please let me know what's next...

Thanks-

Jared

*** MBAM ***

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6612

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5-18-2011 6:59:29 PM

mbam-log-2011-05-18 (18-59-29).txt

Scan type: Quick scan

Objects scanned: 187278

Time elapsed: 27 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

*** COMBOFIX ***

ComboFix 11-05-17.03 - sharpej 05-18-2011 19:32:32.5.1 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.346 [GMT -4:00]

Running from: c:\documents and settings\sharpej\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-04-18 to 2011-05-18 )))))))))))))))))))))))))))))))

.

.

2011-05-04 02:38 . 2011-05-04 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2011-05-04 02:38 . 2011-05-04 02:38 -------- d-----w- c:\program files\AVAST Software

2011-05-03 03:17 . 2011-05-04 22:19 -------- d-----w- c:\program files\PC Tools Security

2011-05-03 03:17 . 2011-05-04 21:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2011-05-03 03:15 . 2011-05-04 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2011-05-02 21:27 . 2011-05-02 21:27 -------- d-----w- c:\program files\ESET

2011-05-02 17:09 . 2011-05-02 17:09 -------- d-----w- c:\documents and settings\sharpej\Application Data\Malwarebytes

2011-05-02 17:09 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-02 17:09 . 2011-05-02 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-05-02 17:09 . 2011-05-02 17:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-05-02 16:01 . 2011-05-02 16:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Steganos

2011-05-02 14:27 . 2011-05-02 14:27 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-24 02:28 . 2009-11-24 02:28 6694516 -c----w- c:\program files\ps3-video-converter.exe

2009-11-22 15:56 . 2009-11-22 15:55 15534341 -c----w- c:\program files\sss2006int.exe

2009-11-22 15:27 . 2009-11-22 15:27 426352 -c----w- c:\program files\ds_dm.exe

2009-01-27 01:34 . 2009-01-27 01:34 1044480 -c----w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-01-27 01:34 . 2009-01-27 01:34 200704 -c----w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SSS2008 File Redirection Starter"="c:\program files\Steganos Privacy Suite 2008\fredirstarter.exe" [2008-03-05 57344]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-01-14 49152]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-15 180269]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-05-01 185640]

"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-04-01 95960]

"SSS2008 PasswordManagerFFAutoFill"="c:\program files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe" [2008-03-11 21504]

"SSS2008 HotKeys"="c:\program files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe" [2008-03-11 25088]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

"SSS2006"="c:\program files\Steganos Security Suite 2006\SSS2006.exe" [2006-05-24 5279744]

.

c:\documents and settings\sharpej\Start Menu\Programs\Startup\

Sprint media monitor.lnk - c:\windows\RM.exe [2008-10-29 222552]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-27 110592]

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-27 110592]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [N/A]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-126801549-2095378277-3947723013-6204\Scripts\Logon\0\0]

"Script"=PTAPrinterScript.VBS

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-126801549-2095378277-3947723013-6204\Scripts\Logon\1\0]

"Script"=PTAMapDrives.VBS

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\utorrent.exe"=

"c:\\Program Files\\Paltalk Messenger\\paltalk.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

.

S1 SLEE_13_DRIVER;Steganos Live Encryption Engine 13 [Driver];c:\windows\system32\drivers\slee13.sys [10-4-2005 11:42 AM 74240]

S1 SLEE_16_DRIVER;Steganos Live Encryption Engine 16 [Driver];c:\windows\system32\drivers\sleen16.sys [10-11-2007 7:24 AM 79104]

S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\VCdRom.sys --> c:\windows\system32\drivers\VCdRom.sys [?]

S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [5-1-2009 3:35 PM 181544]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1-7-2010 11:28 AM 135664]

S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [7-19-2008 3:58 AM 712048]

S2 ioloProductUpdate;iolo Product Update Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [7-19-2008 3:58 AM 712048]

S2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [7-19-2008 3:58 AM 712048]

S2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [6-4-2009 2:30 PM 151552]

S2 Steganos AntiTheft;Steganos AntiTheft;c:\windows\system32\SatSrv.exe [5-24-2006 6:23 AM 184320]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1-7-2010 11:28 AM 135664]

S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [6-4-2009 2:30 PM 19584]

S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [3-25-2007 2:15 PM 7548]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3-12-2004 3:18 PM 169192]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-18 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-11 23:41]

.

2011-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 15:28]

.

2011-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 15:28]

.

2011-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-126801549-2095378277-3947723013-6204Core.job

- c:\documents and settings\sharpej\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-30 05:39]

.

2011-05-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-126801549-2095378277-3947723013-6204UA.job

- c:\documents and settings\sharpej\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-30 05:39]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://rf1.ruderfinn.com

Trusted Zone: alltel.com\care

Trusted Zone: aol.com\free

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\sharpej\Application Data\Mozilla\Firefox\Profiles\50jrvbn5.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}

FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-18 19:43

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(276)

c:\windows\system32\WININET.dll

.

Completion time: 2011-05-18 19:50:07

ComboFix-quarantined-files.txt 2011-05-18 23:49

ComboFix2.txt 2011-05-12 21:59

ComboFix3.txt 2011-05-07 05:09

ComboFix4.txt 2009-04-02 03:20

.

Pre-Run: 127,728,078,848 bytes free

Post-Run: 127,729,664,000 bytes free

.

- - End Of File - - CF44778763BA8EFAC345D8FEDFB5F40D

*** DDS ***

.

DDS (Ver_11-03-05.01) - NTFSx86 NETWORK

Run by sharpej at 20:09:04.32 on Wed 05-18-2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.255 [GMT -4:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\explorer.exe

C:\Documents and Settings\sharpej\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://rf1.ruderfinn.com

uURLSearchHooks: H - No File

BHO: Steganos Password Manager AutoFill: {1427a821-7b93-4f08-9a34-9fa03a3d93db} - c:\program files\steganos privacy suite 2008\PasswordManagerBHO.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R

mRun: [sSS2008 File Redirection Starter] "c:\program files\steganos privacy suite 2008\fredirstarter.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"

mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe

mRun: [sSS2008 PasswordManagerFFAutoFill] "c:\program files\steganos privacy suite 2008\PasswordManagerFFAutoFill.exe"

mRun: [sSS2008 HotKeys] "c:\program files\steganos privacy suite 2008\SteganosHotKeyService.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"

dRunOnce: [sSS2006] "c:\program files\steganos security suite 2006\SSS2006.exe" -firstboot

StartupFolder: c:\docume~1\sharpej\startm~1\programs\startup\sprint~1.lnk - c:\windows\RM.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

Trusted Zone: alltel.com\care

Trusted Zone: aol.com\free

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - hxxps://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab

DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab

DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://rfnywebview1.ruderfinn.com:30157/webview/msxml/msxml4.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: igfxcui - igfxsrvc.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\sharpej\applic~1\mozilla\firefox\profiles\50jrvbn5.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}

FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com

.

============= SERVICES / DRIVERS ===============

.

S1 SLEE_13_DRIVER;Steganos Live Encryption Engine 13 [Driver];c:\windows\system32\drivers\slee13.sys [2005-10-4 74240]

S1 SLEE_16_DRIVER;Steganos Live Encryption Engine 16 [Driver];c:\windows\system32\drivers\sleen16.sys [2007-10-11 79104]

S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\vcdrom.sys --> c:\windows\system32\drivers\VCdRom.sys [?]

S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096]

S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808]

S2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-5-1 181544]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]

S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

S2 ioloProductUpdate;iolo Product Update Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

S2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2009-6-4 151552]

S2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]

S2 Steganos AntiTheft;Steganos AntiTheft;c:\windows\system32\SatSrv.exe [2006-5-24 184320]

S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]

S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\naveng.sys [2011-5-2 86136]

S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\navex15.sys [2011-5-2 1393144]

S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2009-6-4 19584]

S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2007-3-25 7548]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192]

S3 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]

.

=============== Created Last 30 ================

.

2011-05-07 04:42:14 -------- d-sha-r- C:\cmdcons

2011-05-07 04:37:10 98816 ----a-w- c:\windows\sed.exe

2011-05-07 04:37:10 89088 ----a-w- c:\windows\MBR.exe

2011-05-07 04:37:10 256512 ----a-w- c:\windows\PEV.exe

2011-05-07 04:37:10 161792 ----a-w- c:\windows\SWREG.exe

2011-05-04 02:38:20 -------- d-----w- c:\program files\AVAST Software

2011-05-04 02:38:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVAST Software

2011-05-03 03:17:23 -------- d-----w- c:\program files\PC Tools Security

2011-05-03 03:15:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2011-05-02 21:27:18 -------- d-----w- c:\program files\ESET

2011-05-02 17:09:53 -------- d-----w- c:\docume~1\sharpej\applic~1\Malwarebytes

2011-05-02 17:09:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-02 17:09:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-05-02 17:09:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

==================== Find3M ====================

.

2009-11-24 02:28:05 6694516 -c----w- c:\program files\ps3-video-converter.exe

2009-11-22 15:56:36 15534341 -c----w- c:\program files\sss2006int.exe

2009-11-22 15:27:45 426352 -c----w- c:\program files\ds_dm.exe

.

============= FINISH: 20:09:37.57 ===============

Link to post
Share on other sites

Yup -- happens in safe mode, too, with both IE & FF. Was able to uninstall Flash in Safe mode, had to switch to Normal to uninstall Java because it wouldn't allow me to remove in Safe. Took about 10 mins to open Add/Remove window and populate list off programs. When I clicked uninstall for Java, it told me my IE browser was open. I never opened it, and only opened the Add/Remove after initial startup. So there's that to mull over, too.

Anyways, did everything as instructed. Startup was still ridiculously slow. IE took forever to load, and even Task Manager took a while to load so I could check CPU / Mem usage.

Redirect still happening. No sign of IE Script Error messages, although I had four IE processes running after exiting the window I opened to check browser results. Folders under Start > All Programs are still coming up empty, too. Have to go into my C drive to access Firefox. Redirect is pointing my browser to "mvm.us" and "clickattract.org" now, whereas before I believe it was "iclickcity" or something like that. Once it sent me to GroupOn. I dunno.

No phantom audio yet, after about 15 mins.

Anyway, let me know what's next, and thanks for sticking with me here...

Link to post
Share on other sites

Yes, ran HostXpert, though it didn't seem to do anything at all. And I don't really know what "custom hosts" are, so I don't think I had any of those entries to replace.

Anyway, here's the DDS stuff. "Attach" is attached as a zip file, like in my original post. Please let me know what's next.

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by sharpej at 13:13:00.64 on Wed 05-25-2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.121 [GMT -4:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\iolo\common\lib\ioloServiceManager.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\SatSrv.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Steganos Privacy Suite 2008\fredirstarter.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

C:\Program Files\Steganos Privacy Suite 2008\PasswordManagerFFAutoFill.exe

C:\Program Files\Steganos Privacy Suite 2008\SteganosHotKeyService.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Documents and Settings\sharpej\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\sharpej\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\sharpej\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://rf1.ruderfinn.com

uURLSearchHooks: H - No File

BHO: Steganos Password Manager AutoFill: {1427a821-7b93-4f08-9a34-9fa03a3d93db} - c:\program files\steganos privacy suite 2008\PasswordManagerBHO.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [sSS2008 File Redirection Starter] "c:\program files\steganos privacy suite 2008\fredirstarter.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"

mRun: [symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe

mRun: [sSS2008 PasswordManagerFFAutoFill] "c:\program files\steganos privacy suite 2008\PasswordManagerFFAutoFill.exe"

mRun: [sSS2008 HotKeys] "c:\program files\steganos privacy suite 2008\SteganosHotKeyService.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"

dRunOnce: [sSS2006] "c:\program files\steganos security suite 2006\SSS2006.exe" -firstboot

StartupFolder: c:\docume~1\sharpej\startm~1\programs\startup\sprint~1.lnk - c:\windows\RM.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Trusted Zone: alltel.com\care

Trusted Zone: aol.com\free

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - hxxps://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab

DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab

DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://rfnywebview1.ruderfinn.com:30157/webview/msxml/msxml4.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: igfxcui - igfxsrvc.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\sharpej\applic~1\mozilla\firefox\profiles\50jrvbn5.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\sharpej\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}

FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com

.

============= SERVICES / DRIVERS ===============

.

R1 SLEE_13_DRIVER;Steganos Live Encryption Engine 13 [Driver];c:\windows\system32\drivers\slee13.sys [2005-10-4 74240]

R1 SLEE_16_DRIVER;Steganos Live Encryption Engine 16 [Driver];c:\windows\system32\drivers\sleen16.sys [2007-10-11 79104]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-5-1 181544]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2009-6-4 151552]

R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]

R2 Steganos AntiTheft;Steganos AntiTheft;c:\windows\system32\SatSrv.exe [2006-5-24 184320]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\naveng.sys [2011-5-2 86136]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\navex15.sys [2011-5-2 1393144]

R3 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]

S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\vcdrom.sys --> c:\windows\system32\drivers\VCdRom.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]

S2 ioloProductUpdate;iolo Product Update Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-19 712048]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]

S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2009-6-4 19584]

S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2007-3-25 7548]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192]

.

=============== Created Last 30 ================

.

2011-05-20 21:45:12 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-20 21:38:23 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-05-20 21:38:23 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-20 21:38:23 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

2011-05-07 04:42:14 -------- d-sha-r- C:\cmdcons

2011-05-07 04:37:10 98816 ----a-w- c:\windows\sed.exe

2011-05-07 04:37:10 89088 ----a-w- c:\windows\MBR.exe

2011-05-07 04:37:10 256512 ----a-w- c:\windows\PEV.exe

2011-05-07 04:37:10 161792 ----a-w- c:\windows\SWREG.exe

2011-05-04 02:38:20 -------- d-----w- c:\program files\AVAST Software

2011-05-04 02:38:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVAST Software

2011-05-03 03:17:23 -------- d-----w- c:\program files\PC Tools Security

2011-05-03 03:15:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2011-05-02 21:27:18 -------- d-----w- c:\program files\ESET

2011-05-02 17:09:53 -------- d-----w- c:\docume~1\sharpej\applic~1\Malwarebytes

2011-05-02 17:09:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-02 17:09:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-05-02 17:09:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

==================== Find3M ====================

.

2009-11-24 02:28:05 6694516 -c----w- c:\program files\ps3-video-converter.exe

2009-11-22 15:56:36 15534341 -c----w- c:\program files\sss2006int.exe

2009-11-22 15:27:45 426352 -c----w- c:\program files\ds_dm.exe

.

============= FINISH: 13:16:05.87 ===============

Attach.zip

Link to post
Share on other sites

OK -- Now I seem to have a really serious problem. I had left the desktop up and running after running DDS this morning, and about 20 mins. ago the fan kicked on and wasn't turning off. I thought maybe it was just because it's warm in my office, but when I turned on the monitor I had an alert window saying that "Windows Security detected a threat and needed to perform a system scan". The alert's dialog box said something like "Webpage alert" though, so I was suspicious. I had unplugged my usb mouse to use with the netbook while we clean the desktop, so I plugged it back into my desktop's usb hub to navigate, but it wasn't recognized (tried multiple usb ports). I then tried Ctrl+alt+delete to retsart, and it wouldn't let me select any of the choices, though I could tab around.

With no other options apparent, I did a hard restart, and now I have the following problem:

-- Startup in Normal mode hangs at "Windows is starting up" blue screen

-- Startup in either Safe Mode (w/ or w/o Networking) loads but gives me an all-black, blank desktop without a taskbar / Start option.

Basically, now i have nothing.

Ctrl Alt Del doesn't do anything, right-clicking the desktop does nothing... nothing does anything. I just have a black screen of nothing.

I did zilch other than post the logs to this forum earlier today, and left the computer on. I had task manager open, the dialog box from Monday evening's Symantec scan open (because I meant to tell you the scan found no threats and took 2.5 hrs to scan 192k files) and Chrome open to this forum. Since we started trying to clean it I haven't done anything with it other than run the scans you requested and use chrome, FF & IE to either post to this board or check search re-directs (always searching either for "NHL" or "Malwarebytes" and clicking on NHL.com or Malwarebytes.org in the results list).

What should I do?????????????????

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.